• OVH at the OpenStack Summit in Berlin Alain Fiocco (CTO) attended the OpenStack Summit in Berlin to showcase the OpenStack infrastructure deployed at OVH, and share the challenges our teams face every day running a large-scale global infrastructure. OVH ♥ OpenStack.
• The OpenStack Summit is a five-day conference for developers, users, and administrators of OpenStack cloud software. Come meet NGINX in Austin, Texas on April 25th-29th and learn how NGINX Plus is designed to easily connect, secure, and scale cloud-based applications.
• Starting with the W release, the naming criteria changed from referring to the physical or human geography of the region encompassing the location of the OpenStack Summit, to any name proposed by the community that starts with the designated release letter.

Openstack Summit free download - OpenStack Superuser Reader, Hard Disk Scrubber, Summit, and many more programs. OpenStack Summit 2015, Tokyo Edition is over. I have a handful of ideas for follow up technical posts after I have time to get home and dig into them a little bit. But I want to get a few thoughts down on the conference as a whole while I’m sitting in my incredibly small room in Tokyo being too tired to go out on the town.

Event Details
Date: November 13 – 15, 2018
Location: Berlin, Germany
Venue: CityCube
Booth: B10
OpenStack Summit Berlin

Canonical, the company behind Ubuntu, is headlining the main event of the season, OpenStack Summit Berlin, November 13 – 15, 2018.

As a founding member, we are passionate about OpenStack and talking to its users about the latest trends, challenges, and finding ways in which we can help each other.

Ubuntu is at the heart of the world’s largest OpenStack clouds in key sectors such as finance, media, retail and telecoms. With Ubuntu the number one platform for OpenStack and public clouds, Canonical is a leader in building and operating multi-clouds.

Canonical provides consulting, training, enterprise support and remote operations, to help enterprises focus on what matters most — their applications, not the infrastructure.

With the move of compute to the edge, and the emergence of new workloads such as artificial intelligence and machine learning, it is more important than ever to be able to build clouds that are capable of adapting to new hardware.

We had some amazing conversations earlier this year in Vancouver and we hope to have many more in Berlin.

The Summit will be buzzing with activities and the Ubuntu team at Canonical will be offering plenty.

You can join us for:

CEO & Founder, Mark Shuttleworth’s Keynote – Wednesday morning
In booth demos with our engineering experts
Fireside chats with the Canonical team
And don’t forget, BINGO – with our partner Trilio

So grab your coats, gloves and jet over to Berlin to join us at the OpenStack Summit! Our team will be at Booth B10! Click below to pre-book your meeting.

Ubuntu cloud

Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.

These days, almost every service we create has some form of webinterface, be it for administration, monitoring or for the corefunctionality of the service. These interfaces are becoming evermore complex and dynamic, and increasingly interactive. There isa risk however, when increasing interactivity of these web services,that we inadvertently allow a user to supply data which can corrupt,or disrupt the normal running of that service.

Cross-Site Scripting (XSS) is a class of vulnerability whereby an attackeris able to present active web content to a web service, which issubsequently echoed back to a user and executed by the browser.This content can be as seemingly benign as an embarrassing image ortext, or as malign as browser based exploits intended to steal andutilize the user’s web session, or even compromise the user’s web browserand take control of their client system.

Openstack Summit 2020

There are three main classes of XSS issue: Persistent, Reflected andDOM-Based. Persistent XSS issues are those where user input is storedby the server, either in a database or server files, which is laterpresented to any user visiting the affected web page. Reflected XSSissues are those where user input in a request is immediatelyreflected to the user without sanitization.

DOM-Based issues are less common, and are present in web applicationswith rich client-side JavaScript clients which generate dynamic code or webcontent using user controllable data (i.e. URL parameters).

When developing web applications, we must be extremely careful toprotect against all these classes of issue. To do so, we must never trust anydata that originates from, or can be controlled by, the client. All datamust be sanitized in a way suitable for how that data is going to be used. Todo so, many languages provide built-in functionality to make sure anypotentially dangerous control characters are encoded in a way to render theminactive. The following is a PHP example of this.

Incorrect¶

The following is a contrived example of how a reflected XSS exploit mayoccur. If an attacker were to submit a request to‘http://example.com/?name=<script>alert(1)</script>’ then any user viewing thaturl would have the javascript executed within the context of their browser. This canbe used for malicious purposes.

Most modern Python web frameworks will escape any input that is renderedvia templates which mitigates the majority of these types of attacks.However there are ways that this can be disabled.

<!– by default flask will html escape var –><p>{{ var }}</p>

<!– in this instance it will not! –><p>{{ var | safe }}</p>

Correct¶

The correct way to prevent XSS attacks is to validate user input and ensurethat data rendered by templates is escaped. Using templates in the waythey are intended is preferable:

Any HTML content that is generated directly within a request handlershould use the appropriate escaping function:

Allowing certain special characters¶

The issue is made more complex when we encounter situations where weneed to allow a specific set of special characters, such as the ability topost content containing HTML tags. In this situation we can either accept onlyknown good data, or we can deny all known bad data. Both approaches have pros andcons, with the specific choice of implementation being dependent on thegiven application. In general however, the following should be the list ofpriorities:

1. Encoding - Replace ALL control characters with known safealternatives

2. Positive validation (whitelist) - Only allow a specific set of values

3. Negative validation (blacklist) - Block a specified list of dangerousvalues

In cases where positive validation is used, it should also be coupledwith additional sanitization. For example, when allowing certain HTML tags,certain attributes of those tags should be removed, such as event handlers.e.g.:

Again, the preferable approach is to only allow known safe attributes,and sanitize the content of those attribute values. If the content is notsanitized, the following vulnerable code could occur:

If the preceding JavaScript function is called with the link parametercontaining the following value, the function can be exploited to executearbitrary code:

A more secure implementation of the above would be:

Note, this is a very specific example for illustration. A morecomprehensive approach to sanitization should be taken for larger applications.

Consequences¶

• Hijack of legitimate user sessions

• Disclosure of sensitive information

• Access to privileged services and functionality

• Delivery of malware and browser exploits from our trusted domain

Open Infrastructure Foundation